Pages

Friday, March 11, 2011

Facebook: DDoS attacks don't down the site, our screw-ups do

TechRadar met up with a number of Facebook engineers today, who explained the changes that were happening with the site in terms of implementing HTML 5 and how they work with the daily challenges of keeping the site upright.
One of the things mentioned was how the company works to curtail DDoS attacks, which according to Facebook happen very rarely.
"As far as I know, we have only had one or two DDoS attacks on the site," explained David Recordon, senior open programmes manager, at Facebook.
"You would need a pretty big botnet to attack us and I don't think they would want to put all their effort into downing the site and expose their ways.
"When we have site blips people think we are having an attack – it's not, it is usually us screwing up but it's fixed within an hour."Facebook attack
To keep Facebook and its API free from attack, the site does have a number of teams in place that monitor the site for security flaws and try and fix them ad hoc.
Recordon explained that there is a "site integrity team" in place whose sole job it is to check the site for imperfections and there are other techniques being used.
"We use a combination of technology and the systems that we have built from scratch," said Recordon.
Jason Cross, the first UK-based Facebook platform engineer, told to TechRadar that there are other security measures in place, one of which is protecting its Like button functionality from click jackers.
"We have click-jacking prevention techniques that we don't talk about and we try and stop it within our code, but we also speak to browser vendors," said Cross.

"Click-jacking is a very clever hack that people are doing. There is an on-going dialogue across the whole industry to prevent this, though."Security response
Jason Sobel, engineering manager at Facebook, explained to TechRadar that there were internal security procedures in place if the site is compromised, but there is also a reliance from external sources to let them know what is going on.
"We have a number of levels of security response," explained Sobel.
"We have a security incident team, and we get reports from white hat hackers who are trying to help us out which is great.
"We have other security glitches that aren't reported to us directly but we try and fix them within hours of them happening.
"We also have a team of internal white hats who find security holes before they are made public and this again is a massive help."Code red
Interestingly, problems with Facebook that come from the site's code are ultimately down to the person who created it.
So an engineer, no matter how low down the chain he is, could expect a midnight call if things on the site go awry and it is their code that is causing the problems.
"There are 24/7 engineers who watch all the monitoring data we have and make sure that if there is something that crashes or there are unusual trends on the site, we can fix them," said Sobel.
"If they don't know how to fix it, then we have app operations who know how to solve a vast number of problems. But the last resort is that we phone the engineer who created the code in the middle of the night to sort it."
Cross, who recently came back from a Facebook boot camp where he created some code for the site's photo section, explained a bit more about the situation.
"The developer has ultimate responsibility for the code, from its inception up until it is superseded.
"So it is scary if you are that developer, but what that makes you do is write code in the right way.
"It is all about relationship and accountability."